Wednesday, January 16, 2013

I conceal my identity the same way Aaron was indicted for

According to his indictment, Aaron Swartz was charged with wirefraud for concealing/changing his "true identity". It sent chills down my back, because I do everything on that list (and more).

To understand what I do, look at the screenshot below, and how evidence of my misbehavior shows up in my home router DHCP table:

The first thing you'll notice is that I have a lot of MacBooks belonging to Martin. Actually, there is only one, but it randomizes its MAC address when it boots. Thus, every time I start it, it adds yet another entry in the DHCP table, appearing as another computer.

And my name isn't "Martin". That's a name I made up.

Notice the MAC address of the cell phone labeled "HTC One X". If you lookup the first three bytes, you'll find that it's not an HTC device but an Apple device. It's my iPhone 5. (Sadly, I don't know how to spoof the MAC address of my iPhone).

On my last flight accross the country, I signed up with GoGo Inflight. I used a fake name, a fake email account (at mailinator.com), and a prepaid anonymous Visa card. My intent wasn't to defraud them -- I already know how to get GoGo Inflight for free using several techniques, such as spoofing the MAC address of another passenger. Because I'm an honest law abiding citizen, I paid for the WiFi -- I just did so while remaining anonymous.

Remember the Stratfor hack from last year? One of the 800,000 accounts dumped on the Internet belongs to me. Only, you don't know it belongs to me because I didn't give my real name or my primary (well known) email address. I have a special email address reserved for accounts just like Stratfor. I also have a separate email account that I solely use for e-commerce, with a name unrelated to my real name, that I use for Amazon, PayPal, and so forth. I rarely give out my "real" email address.

Why do I do all this? That's none of your business! I mean, all this has perfectly rational explanations in terms of cybersecurity, privacy, and anti-spam. You can probably guess most of the reasons. But explaining myself defeats the purpose. I shouldn't have to explain myself to you, to prosecutors, or to a jury. I have a human right to privacy, and guarding that right should not be cause for prosecution.

That's what's scary about the Aaron Swartz indictment. He was indicted for wire-fraud for concealing his "true identity", for doing what I do. But at no time was he asked for his true identity. His true identity was not needed to access the JSTOR documents. JSTOR allowed anybody from the MIT network to access their documents, and MIT allowed anybody to access their network without requiring identity.

Let me repeat that: nobody asked Aaron for his true identity, but he was indicted for wirefraud for concealing his true identity. He was indicted for doing the same things I do every day.

It's around this time that people bring up how Aaron used MAC spoofing to get around blocks put in place by MIT. These people don't understand MAC addresses. MAC addresses are not a machine's true identity. They aren't a means of security or authorization. When somebody blocks your MAC address, it doesn't send the message "you are unauthorized", it's not clear precisely what message it sends. It's like saying if somebody blocks your phone number, then it's wirefraud calling from a different phone. Your phone number is not your true identity, and neither is your MAC address.

MIT's own WiFi access-points spoof MAC addresses. For example, if you netstumble the MIT campus you'll find two access-points with the MAC addresses "00:21:d8:49:98:61" and "00:21:d8:49:98:62". These are actually the same access-point which is spoofing MAC addresses in order to appear as multiple networks ("MIT" and "MIT GUEST"). When Aaron spoofs, it's wire-fraud. When MIT spoofs, it's normal network operation.

Besides taking the "civil liberty" angle, I'm trying to get to the "witchcraft" angle. As Arthur C Clarke puts it, "Any sufficiently advanced technology is indistinguishable from magic". Here is my corollary: "Any sufficiently technical expert is indistinguishable from a witch". People fear magic they don't understand, and distrust those who wield that magic. Things that seem reasonable to technical geeks seem illegal to the non-technical. The non-technical think they understand MAC addresses and address blocking, but they don't. Thus, Aaron's indictment might seem a fair interpretation of the law, but it's a wholly unfair interpretation of technology.

So, anyway, at the bottom of this post is the magic incantation you need to cast over your MacBook in order to randomize your MAC address. I recommend against you using it, though, because this may cause a bunch of villagers to come after you with torches and pitchforks.

Magic Incantation

On Mac OS X, you simply type the command "ifconfig en0 ether 00:11:22:33:44:55" to change the MAC address (until the computer reboots). To get it to change (from the burned in address) on every reboot, you need to put that command in a startup script, under the directory "/Library/StartupItems". It's actually a complicated process.

Somebody has made it easier at the URL https://github.com/feross/SpoofMAC. This uses a Python script to make things a little bit more robust than just running ifconfig, and it has a complete explanation on how to create the script.

I don't like his solution, so I changed the startup script to look like the following:

Update: As usual, other people say things better than I can. In this piece Marcia Hoffman says about MAC address authorization: “That’s not a lock. That’s a speedbump. If you drive around a speedbump instead of over it, is that illegal?”

62 comments:

when i workec for Comcast it was an issue all the time with duplicate MACs on the same node. and those were modems from the same manufacturer.. so how is MAC address supposed to be a unique identifyer anyway?

also anyone with a brain can spoof MAC/IP/Location/Caller ID on their Android.. are they criminals?

PLEASE don't do this. Changing your MAC to something random runs the risk that your address will collide with one is being used by something that other network users care about (e.g. network infrastructure components like switches and routers, or shared resources like servers and printers).

The MAC address that came with your computer's networking hardware was allocated to it by the people who made it, who, in turn, allocated it from IEEE. This is done specifically to prevent the situation where multiple devices on the same network have the same MAC address, to ensure that the network remains usable for OTHER PEOPLE.

Obviously, the MAC address isn't an identity. Anyone can change it, and despite @6:59am saying it's coming from the IEEE, that's not for every individual device. The first few digits can often identify the manufacturer.

But, regardless, if it's not an identity, then randomizing doesn't hide anything.

Conversely, if randomizing it does hide something identifiable, then perhaps it is an identity of sorts -- or can directly lead to one. And, therefor, masking it is an attempt to hide or spoof an identity.

I don't see it as any different than a DHCP server assigned a different IP address if it sees the same MAC address twice, ever. Due to the changing nature of IP addresses and the non-static nature of MAC addresses they aren't really any different. As an address, they are an identity to something, just like a mailing address identifies something. Just not necessarily a person. But there's usually someone involved at some points. Or maybe skynet.

@6:59. I'm afraid you don't know what you're talking about. Creating random mac addresses happens all the time with no detriment to the world at large. There are 281,474,976,710,656 possible MAC addresses so the odds of grabbing the same one as another computer are infinitesimally slim.

no, you don't. what you've written is not only misleading, but you give an actual example of what Swartz was indicted for -- spoofing MAC addresses to steal something from somebody (in your case, a paid account for inflight wireless). Criminal charges require that a real or imaginable harm has taken place--in Swartz's case, the potential distribution of JSTOR's intellectual property. In and of itself, forms of technical (or any other) anonymity are not going to get you arrested any more than having multiple email addresses, Facebook accounts, Twitter handles, or anything else will. Prove me wrong by pointing to any arrest--let alone conviction--for the simple act of being anonymous.

@6:59 The same solution to the same problem: if somehow you grab the MAC Address of another machine, do another ifconfig, or if you're Terminal shy, restart the machine if that startup script is in place. But I bet you're struck by lightning first before that happens.

Also, Google CAPTCHA, glad to help you ruin some random user's privacy by translating Street View addresses before I can post this comment. Great way to flip off the general public and to discourage privacy advocates from participating in online dialog anonymously.

> ... Aaron used MAC spoofing get around blocks put in place by MIT...

It's not the "Aaron used MAC spoofing" part that got him into trouble, it's the "Aaron used MAC spoofing to [REPEATEDLY] get around blocks put in place by MIT" that did... Along with a bunch of other things, like, oh, deliberately trying to download tons of documents with the intent to re-distribute that he had no right to. The context is all important.

Your post is the equivalent of reading an indictment that says "accused bought a kitchen knife and accused stabbed victim", and then telling people, "I buy kitchen knives every month! Am I a criminal?! The justice system doesn't understand cooking!!"

Geeks like to think that the problem is that the law doesn't understand tech, but the real problem is that geeks don't understand the law.

The law is very concerned about intent. You can change MAC addresses and spoof packets as much as you want, as long as you don't do it with criminal intent. I did it all day long when researching network anonymity at university. Heck, you can even walk out of shops without paying for stuff as long as you can honestly say you simply forgot.

Swartz had criminal intent and he knew it, which is partly why the case against him was so strong. And please, do not try to argue that he did not know it -- I mean, come on, hiding his face from security cameras while trespassing? Dropping his bike and running from cops?! Please. We can debate if the laws are fair or if the charges were too severe, but let's not try to pretend that he had no criminal intent, and let's not analyze his actions out of context and imply they were harmless.

People think I am parinoid because I have seven email addresses and use certain ones that are completely anonymous for many things online. The downside is when I go to the grocery store and do not remember the phone number I gave them for the discount card. Now I have to figure out how to do the MAC thing with an iPad...

C'mon folks. MAC ID alteration is old stuff. DEC equipment using DECNet protocols did it 25 years ago and it was normal operation for the software to override the hardware MAC with one formulated specifically for the local network operations. The MAC numeric only matters on the local network. It is not used beyond that level at all, but is replaced by the (also reusable in most cases) IP address.

He was not indicted for concealing his identity. Don't be ridiculous. He was indicted for fraud, because he was stealing thousands of documents from a network he was not authorized to access. He even physically broke into a network room and hardwired himself in!

Many commenters are saying that Aaron used this techique to get around blocks imposed by MIT. Jennifer Granick made a very important point about this. Those blocks were not attempts to stop *unauthorized access*, they were attempts to stop access which was *too fast*. Alex Stamos has written eloquently on how the access in question was, indeed, authorized - the machine had an IP address in the right netblock, obtained using an approved mechanism supplied by the owner of the netblock.

"Why do I do all this? That's none of your business! I mean, all this has perfectly rational explanations in terms of cybersecurity, privacy, and anti-spam. You can probably guess most of the reasons. But explaining myself defeats the purpose. I shouldn't have to explain myself to you, to prosecutors, or to a jury. I have a human right to privacy, and guarding that right should not be cause for prosecution."

Seriously, why would one spoof a MAC address? Since a MAC address is assigned to a device (like my Mac), I can see why spoofing it would increase my privacy. Are there other reasons?

@1:08To use JSTOR, you must agree not to download more than a certain number of articles, and not to use any sort of automated downloading. He was changing his identity so that he could evade this cap each time JSTOR cut him off. This was all done as a registered guest on MIT's network, and he was also violating their terms of use.

He was "NOT" stealing documents. Under the MIT policy, and the JSTOR policy, he had every right to access and collect those documents.

Furthermore, he had every right to change his mac address, hide his face from security, and otherwise obscure his identity, as none of those were in of themselves illegal.

While they can prove intent to distribute articles illegally, possession of those articles, and any method of accessing them legally is not an illegal act in itself.

I can buy a million kitchen knives, and consider stabbing people with them and not go to jail, no matter how much I 'think' about doing it. Furthermore I can't be arrested because I bought the knife with the intent to stab someone. I can only be arrested if I take that legally acquired knife and attempt to act on my thoughts and actually try to stab someone, and you can't charge me with buying the knife legally.

I'm just curious why what he did would involve ANY jail time considering that the HSBC murderers and thieves just had to defer their bonuses for a few months? I mean, shouldn't the penalty fit the crime? Sure, he (apparently - i.e. intent) broke some laws that harmed exactly no one. HSBC on the other hand purported one of the most heinous acts in recent memory and they get NO penalty?

Thanks for a good post, excellent points.USA is the most restrictive and dictatorial country in the world with the a legal system that is misused on the highest level - and they have the gall to criticize Hitler, China and North Korea, or whichever country they are now targeting.I'm very happy I don't live in America. Too bad they wish to spread this filth elsewhere.

With regard to "criminal intent": the CFAA s absurdly broad. It includes this clause: "Making changes in any information on the computer systems of the USA with the intention of misleading or hiding certain information." That clause has no specification of "intent", criminal or otherwise. There's no definition of what "misleading" is supposed to mean. "Hiding certain information" is ridiculously broad. Read on its face, pretty much anything, even deleting a post on Facebook, could be said to be a violation of the CFAA. The Act needs serious reform, it was obviously abused in this case, the overcharging was absolutely ridiculous and disproportionate.

The issue here is not whether or not Aaron did something he shouldn't have. The issue is whether he should have been forced to plead guilty to a felony and serve jail time for what really never ought to have been brought to Federal attention in the first place. As Tim Wu points out, Steve Jobs and Steve Wozniak started out as phone phreakers. Would the world have been a better and safer place had the government bullied them into being felons? Give me a break. JSTOR itself wanted the prosecution dropped. MIT, to its eternal shame, failed to join them. This is an indelible black mark on MIT and the US Attorneys who were involved. Whether Aaron was in the wrong or not is debatable, but it is not debatable that MIT and the US Attorneys are guilty of a horrific overreaction leading to a senseless tragedy that impoverishes the world.

Love the article, it makes an issue of the 'law being an ass' quite obvious and how it is applied to users like this is a bad result.But I also have to make the comment, that hiding your intentions is also part of the problem.. This is also happening with photographers. When an officer asks you what your doing you can try to explain it simply or you can start arguing about having the right to be here and doing what your doing and not having to explain yourself.. Which do you think would be more helpful? As you stated you don't have to explain your reasons for being anonymous, I don't have to explain my reasons for being in a street taking a photograph.. If we don't then the officer will investigate the situation (with or without my help) until he finds an explanation or a reason. Without my help he will eventually find a reason that I shouldn't be there, with my help he could quickly accept why I am there, see no issue and move on. Yes you have a right to privacy, and the law has an obligation to determine a result...

The US government's reaction to Swartz's theft was absurd. Demanding privacy when using your computer should be the norm not an exception.

To add to the OS X MAC spoofing script I added a little hostname spoofer. It just replaces your hostname with a couple random words. It would probably look better if it ended in `s-MacBook-Air` but at least it's a start.

"I can buy a million kitchen knives, and consider stabbing people with them and not go to jail, no matter how much I 'think' about doing it. Furthermore I can't be arrested because I bought the knife with the intent to stab someone. I can only be arrested if I take that legally acquired knife and attempt to act on my thoughts and actually try to stab someone, and you can't charge me with buying the knife legally."

Not true. If you bought a knife with the intent of using it for murder then you have committed an offence. There is a long established precedent in common law that the intent with which you acquire or carry something can make carrying it an offence. See also laws on going equipped for burglary, theft etc, both in common law and statute.

That clause has no specification of "intent", criminal or otherwise.

This is a ludicrous objection. As if every clause of every law must individually define its terms! Not only could the CFAA include a definitions section (it is certain to), the definition of 'intent' in criminal cases has been established for more centuries than I care to count. That you are ignorant of that doesn't make it not so.

I'm sorry, that is just inane. You haven't even read the statute --- you're just blathering. Read the fricking statute before opining. Mens rea simply refers to whether or not the defendant had specific intent to engage in a prohibited action. The statutes are what define prohibited actions, not some vague, meaningless notion of "criminal" --- what is criminal is what is prohibited by statute, and that's what's partly at issue here. Intent only has to do with intent to violate this or other statutes. The clause I quoted is one of several independent clauses that specify what prohibited actions are. Stop being so lazy (there's nothing worse than someone being simultaneously arrogant and patronizing while not actually knowing what the hell you're talking about in the least).

There are quite a few independent points here which you're stupidly and lazily ignoring. First: the law is ridiculously broad. The law as written could be read to criminalize almost any ordinary activity online --- which is what many prosecutors have attempted to foist upon the courts.

This is not merely my opinion. It's a widely known issue. For example, take this one of many articles on the subject.

The central point here, however, completely aside from the ludicrously overbroad law, is the fact that Swartz should not have been forced to plead guilty to felonies and to do hard time. For more on this, I give you this interview with retired Federal Judge Nancy Gertner:

http://www.wbur.org/2013/01/16/gertner-criticizes-ortiz-swartz

'“When that happens the prosecutor has enormous power and has to exercise that with some degree of fairness and judgment at that end,” she added.

And this is what Gertner says Ortiz lacked in the case of Aaron Swartz. If the government was willing to recommend four months in prison, Gertner asks, why not two years in a diversion program which would have suspended and dropped charges if he committed no crimes during that period?'

I was going to write a long-winded response praising Aaron and indicting MIT and JSTOR of hypocrisy. But, aren't we all are culpable of sustaining institutions which are more self-serving than the embodiment of the high-ideals envisioned by the founders.

A MAC address block at worst indicates that you may not be "authorized" (statute term) to access the *wireless network*. Wireless networks are managed differently than wired networks, and it naturally follows that one should instead use the (open) *wired* network in an (unlocked) closet to access JSTOR.

Concerning "criminal intent," changing the MAC address is evidence of that (good enough for an indictment), but there are other reasons why one would change your MAC address without "criminal intent." That is the original post's point.

I think that a better explanation for changing your MAC address (without criminal intent) is that Aaron was trying to figure out WHY he was kicked off the network. When your computer doesn't connect, you jog it into requesting another IP address. Problem solved! When you can't connect again, you say "hmmm, what is going on." You request another IP address, but that doesn't work. You ask, "is it a wireless policy because I'm hogging wireless bandwidth?" You then change your mac address. You connect. You conclude, "ah, it is a wireless policy, I'm hogging the bandwidth and MIT doesn't want that; I'll just use the wired connection in the closet." You connect in the closet but you don't want people messing with your laptop (or stealing it), so you cover it up.

A Wifi MAC address block at worst means you don't have authorization to connect to the wireless network to do what you were doing. It does not mean you do not have authorization to connect to the JSTOR "computer" - which is what the prosecution would have to show.

There you have it - changing your IP address and MAC address without criminal intent (in Aaron's case) to access a "computer" (statute term) without "authorization."

So the guy complaining about "criminal intent," as a point, which is addressed with the argument above. Simple trouble shooting by Aaron.

There are two separate problems here. The first is that the law as written is ridiculously broad. There are many parts of the statute that refer to intent --- but there is one section that says mere "unauthorized" access of a computer to get information (of any kind, regardless of what you intend to do with it) is a felony. This is a gaping hole in the law which ought to be closed, as many people have argued. If violating the terms of service in any way constitutes "unauthorized access" (one person was allowed to be sued for deleting files on his work laptop after he'd decided to quit, under the theory that he was no longer "authorized" to access the laptop after he *decided* to quit --- not even after he actually quit).

The second issue is whether or not Aaron was overcharged, and that is incredibly clearly the case. Prosecutors, as that retired Federal judge said, should never have prosecuted this case. Aaron should have been let off with a diversionary program of some kind. They were trying to ruin his life over doing something that may have been technically illegal but was not something that deserved a felony conviction. That's the real travesty here.

Really? How is that a human right?You have a *preference* for privacy.

But a right.. I'm not so sure. A right can only be conferred by the community in which you live, as long as everyone else abides by those same standards/rules.

I can see many benefits if no one could hide behind an anonymous mask on the internet, if everyone was forced to depend their own opinion as everyone one would know what they truly thought or what actions they'd taken on the 'net.

But at the same time, I can see how that would curb people's freedom to express themselves for fear of being judged or persecuted.

There are many examples of laws that impute intent to situations, but the closest examples are drug laws where possession of some may be legal (controlled OTC or with a prescription), getting multiple prescriptions (presumably from different doctors) or using multiple identities for controlled OTC drugs(parallel to changing MAC addresses to get more than the allowed number of documents) is illegal, and regardless of how obtained, possession of more than X can be illegal regardless of how obtained and can 'prove' intent to illegally distribute - not necessarily for a profit, just without the legal right to do so.(Anonymous becuase I don't like to have to get permission to speak. KDLNeal other places.)

spoofing your laptop's mac inside your own private network does absolutely nothing unless you are trying to fool yourself.when you make a connection from a device inside your network, to a device outside your network, the mac address of the WAN port of your router is used, never the mac of your computer connected to your private network.when your packet reaches your ISP's router and get routed to the next router upstream, the mac then becomes the mac address of the interface that relayed the packet, it does this every router it goes through, the only thing that stays the same is the origin and destination IP's and ports.MAC's are just identifiers between physically connected interfaces.

Now spoofing the mac of your router's WAN interface is only going to make it look like you keep changing routers to your ISP, nothing beyond that will matter, and when somebody comes looking for the person using IP's x, y, and z, on specific dates and times, your ISP is going to know that it was you, regardless of what mac address your router was using.

Sorry if i missed this but..Is there a complete listing of files downloaded even though the data itself was surrendered?or perhaps more to the point : which databases or sources was he after?He was a unique kind of intellect/genius. ...like chess grandmasters, yes?

Has anyone asked you to explain why you're doing that? If not, it might be because you didn't break into JSTOR. Aaron wasn't indicted because he faked a MAC address he was indicted because some people think that breaking into JSTOR was a criminal act. It's one more sad note about Aaron's passing that with his being gone, we no longer have the opportunity to clear all this up via litigation. I think your next blog post should be an open letter to your congressman, telling him the way the laws should be changed to protect Aaron's indicted activities in the future.

Yes, this is not intent of article..but if he suspected that the jstor was a gateway to "other" materials than perhaps the legal & lawful tenets are inapplicable because black projects are can not rely upon earthly commercial & ADMIRALITY law...upon which international "intellectual and creative" products and informationals are instantiated and subsequently governed ....enforcable by non-black dicks with guns...er, 30 inch waistbelts.

This is a little off (some of) the topics, but someone asked how to change MACs on a Windows Box. I generally use http://www.technitium.com/ (freeware) for that.

I also just ask my VM manager (e.g. VirtualBox, VMWare Player/Workstation/Fusion, etc.) for a new one when needed. (I use a lot of VMs.) More and more, computers and network devices are virtual rather than physical. (Where do you think all those MACs are coming from?) I know people that use a new (virtual) computer every day for web browsing.

In practice, there's nothing reliably identifying about a MAC, but since so few people actually do change it, it does get abused that way. But it is by no means a form of authentication. Abusing it that way is just lazy convenience.

Now for actual hardware (network cards or chips), it can be like a device serial number. So if you don't think it's wise to always wear something akin your Social Security Number on your shirt, you should probably change it, at least in certain circumstances.

you're wrong. The precedent of Griswold v. Connecticut states that the Constitution does in fact grant the right to privacy. Also the larger issue at hand is that he was going to spend most of his life in prison over stupid charges. outside of the B&E the wire fraud only applies to obtaining money,[this is nobody's property hence his access to it under the law cannot be challenged], his "damage" is very easily undone to the protected computer. That's the larger issue at hand even ignoring the fact that the stringency of current computer laws is hardly good for the internet